You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Nikhil (Jira)" <ji...@apache.org> on 2020/01/08 12:46:00 UTC

[jira] [Created] (TOMEE-2760) javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8

Nikhil created TOMEE-2760:
-----------------------------

             Summary: javax.net.ssl.SSLException(certificate_unknown) while deploying a enterprise ear over TOMEE8
                 Key: TOMEE-2760
                 URL: https://issues.apache.org/jira/browse/TOMEE-2760
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Core Server
    Affects Versions: 8.0.0-Final
            Reporter: Nikhil


Hi,

 

We are trying to deploy an enterprise level EAR application on the TomEE 8.0 environment with JDK 1.8.x and ActiveMQ setup war.

 

During the startup of the TomEE server, while deploying the EAR file.. we got into below exceptions..

 

org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept connection from null : {}org.apache.activemq.broker.TransportConnector$1 onAcceptError [SEVERE] Could not accept connection from null : {}java.io.IOException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196) at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543) at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174) at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470) at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55) at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169) at org.apache.activemq.transport.InactivityMonitor.start(InactivityMonitor.java:52) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:72) at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64) at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072) at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.activemq.transport.nio.NIOSSLTransport.secureRead(NIOSSLTransport.java:393) at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:428) at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:164) ... 14 more

 

Further the below stack trace --

 

org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}org.apache.activemq.transport.failover.FailoverTransport doReconnect [FINE] Connect fail to: nio+ssl+context://myhost:27145, reason: {}javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching myhost found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115) at java.io.DataOutputStream.flush(DataOutputStream.java:123) at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:194) at org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:335) at org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:317) at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:181) at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84) at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74) at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:1017) at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:148) at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:133) at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:48) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: java.security.cert.CertificateException: No name matching myhost found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231) at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 22 more

 

 

The same EAR deployment was working fine with 7.0.3 TomEE environment + JDK 8.

 

While researching, we found that the similar issue w.r.t hostname verification was added recently as part of ActiveMQ 5.15.x change @ [https://securitytracker.com/id/1041618]
|
|The vendor advisory is available at:

http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt|
|

 

We couldn't see any option for disabled the same in TOMEE or ActiveMQ.xml 

 

Please let us know if there is any issue w.r.t above configurations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)